Search Results

Search found 13454 results on 539 pages for 'ws security'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 172/539 | < Previous Page | 168 169 170 171 172 173 174 175 176 177 178 179  | Next Page >

  • Smart Client App: How to give Different Settings for Different Users

    - by Daniel
    Hi! I have a smart client application being deployed with a CickOnce webpage. here's the current scenario. User runs the application, and the application shows a login form. User enters ID/Password in the login form, and the application sends that information to the server. The server authenticates the user and sends configuration and data to the application. Different users have different configuration and data for their application. I was concerned that anyone can download the application from the webpage if they know the URL. So I'm trying to change the authentication scheme, so that users can login at the webpage to download the application. I want to send the authentication info from the webpage(Program running at the server) to the smart client app, so that application can download the configuration information from the server, without prompting users to make a login again. How can the webpage send the ID/Passoword to the application securely?

    Read the article

  • Documents/links on preventing HTML form fiddling?

    - by larryq
    Hi everyone, I'm using ASP.Net but my question is a little more general than that. I'm interested in reading about strategies to prevent users from fooling with their HTML form values and links in an attempt to update records that don't belong to them. For instance, if my application dealt with used cars and had links to add/remove inventory, which included as part of the URL the userid, what can I do to intercept attempts to munge the link and put someone else's ID in there? In this limited instance I can always run a check at the server to ensure that userid XYZ actually has rights to car ABC, but I was curious what other strategies are out there to keep the clever at bay. (Doing a checksum of the page, perhaps? Not sure.) Thanks for your input.

    Read the article

  • How do API Keys and Secret Keys work?

    - by viatropos
    I am just starting to think about how api keys and secret keys work. Just 2 days ago I signed up for Amazon S3 and installed the S3Fox Plugin. They asked me for both my Access Key and Secret Access Key, both of which require me to login to access. So I'm wondering, if they're asking me for my secret key, they must be storing it somewhere right? Isn't that basically the same thing as asking me for my credit card numbers or password and storing that in their own database? How are secret keys and api keys supposed to work? How secret do they need to be? Are these applications that use the secret keys storing it somehow? Thanks for the insight.

    Read the article

  • Hash Digest / Array Comparison in C#

    - by Erik Karulf
    Hi All, I'm writing an application that needs to verify HMAC-SHA256 checksums. The code I currently have looks something like this: static bool VerifyIntegrity(string secret, string checksum, string data) { // Verify HMAC-SHA256 Checksum byte[] key = System.Text.Encoding.UTF8.GetBytes(secret); byte[] value = System.Text.Encoding.UTF8.GetBytes(data); byte[] checksum_bytes = System.Text.Encoding.UTF8.GetBytes(checksum); using (var hmac = new HMACSHA256(key)) { byte[] expected_bytes = hmac.ComputeHash(value); return checksum_bytes.SequenceEqual(expected_bytes); } } I know that this is susceptible to timing attacks. Is there a message digest comparison function in the standard library? I realize I could write my own time hardened comparison method, but I have to believe that this is already implemented elsewhere.

    Read the article

  • Importance of verifying user email on web signup

    - by sunwukung
    I know this question is crazy - but my employers client is demanding that email verification be removed from the sign up process (they feel it is impeding sign up). I wanted to garner feedback from the programming community at large as to their experience and opinions regarding sign up and email verification - and the possible consequences of removing this safeguard.

    Read the article

  • Encrypt URL in asp.net

    - by Zerotoinfinite
    Hi All, My site is in asp.net 3.5 and C#. I am sending link to my user through mail, now I want to send each user a specific URL. so instead of sending the clear text I want to send link with encrypted string URL, which I will decrypt on my home page. Like instead of www.mysite.aspx\mypage?userId=12 i'll send www.mysite.aspx\mypage?UserId=)@kasd12 and the same i'll decrypt on my page so that I'll get the userId = 12. Please let me know if my approach is correct and not and how can I encrypt & decrypt the string in simplest and easier manner. Thanks in advance.

    Read the article

  • Can this be improved? Scrubing of dangerous html tags.

    - by chobo2
    I been finding that for something that I consider pretty import there is very little information or libraries on how to deal with this problem. I found this while searching. I really don't know all the million ways that a hacker could try to insert the dangerous tags. I have a rich html editor so I need to keep non dangerous tags but strip out bad ones. So is this script missing anything? It uses html agility pack. public string ScrubHTML(string html) { HtmlDocument doc = new HtmlDocument(); doc.LoadHtml(html); //Remove potentially harmful elements HtmlNodeCollection nc = doc.DocumentNode.SelectNodes("//script|//link|//iframe|//frameset|//frame|//applet|//object|//embed"); if (nc != null) { foreach (HtmlNode node in nc) { node.ParentNode.RemoveChild(node, false); } } //remove hrefs to java/j/vbscript URLs nc = doc.DocumentNode.SelectNodes("//a[starts-with(translate(@href, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'javascript')]|//a[starts-with(translate(@href, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'jscript')]|//a[starts-with(translate(@href, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'vbscript')]"); if (nc != null) { foreach (HtmlNode node in nc) { node.SetAttributeValue("href", "#"); } } //remove img with refs to java/j/vbscript URLs nc = doc.DocumentNode.SelectNodes("//img[starts-with(translate(@src, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'javascript')]|//img[starts-with(translate(@src, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'jscript')]|//img[starts-with(translate(@src, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'vbscript')]"); if (nc != null) { foreach (HtmlNode node in nc) { node.SetAttributeValue("src", "#"); } } //remove on<Event> handlers from all tags nc = doc.DocumentNode.SelectNodes("//*[@onclick or @onmouseover or @onfocus or @onblur or @onmouseout or @ondoubleclick or @onload or @onunload]"); if (nc != null) { foreach (HtmlNode node in nc) { node.Attributes.Remove("onFocus"); node.Attributes.Remove("onBlur"); node.Attributes.Remove("onClick"); node.Attributes.Remove("onMouseOver"); node.Attributes.Remove("onMouseOut"); node.Attributes.Remove("onDoubleClick"); node.Attributes.Remove("onLoad"); node.Attributes.Remove("onUnload"); } } // remove any style attributes that contain the word expression (IE evaluates this as script) nc = doc.DocumentNode.SelectNodes("//*[contains(translate(@style, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ', 'abcdefghijklmnopqrstuvwxyz'), 'expression')]"); if (nc != null) { foreach (HtmlNode node in nc) { node.Attributes.Remove("stYle"); } } return doc.DocumentNode.WriteTo(); }

    Read the article

  • How to securely transfer

    - by michaeltk
    I have two servers -- a backend server, and a frontend server. Every night, the backend server generates static .html files, which are then compressed into .tar format. I need to write a script that resides on the backend server that will transfer the .tar file to the frontend server, and then decompress that .tar file into to the public web directory of the frontend server. What is the standard, secure way to do this? Thanks in advance.

    Read the article

  • anyone know of a custom membership provider implementation that check password strength against in-b

    - by ronaldwidha
    I've got an Asp.net MVC app and before being able to go live, the IT have requested for us to comply with their password policy. The flexibility of AspnetSqlMembershipProvider doesn’t quite satisfy the requirement. The password strength and length rules are as follows: one lowercase one Uppercase one number and or special character 8 characters in length so far, aspnetsqlmembershipprovider is good... Not allowed to use: Dictionary words Names, real or fictional Plain language phrases Dates Telephone numbers Car registration numbers User IDs Postal codes Organization name Only the first 4 criteria are satisfied by the aspnetsqlmembershipprovider. Do you know of any third party products that offers this functionality (preferably in the form of a custom membership provider)?

    Read the article

  • IIS7 integrated mode closing token between requests

    - by user607287
    We are migrating to IIS7 integrated mode and have come across an issue. We authenticate using WindowsAuthentication but then store a reference to the WindowsPrincipal so that on future requests we can authorize as needed against AD. In IIS 7 Integrated mode, the token is being closed (between requests) so that when we try to run IsInRole it generates a disposed exception. Is there a way to cache this token or change our use of WindowsPrincipal so that we don't need to make successive AD requests to get it for each authorization request? Here is the exception being thrown from WindowsPrincipal.IsInRole("") - System.ObjectDisposedException: {"Safe handle has been closed"} Thanks.

    Read the article

  • Correct way to safely store token/secret/etc from OAuth?

    - by viatropos
    I just started looking into OAuth and it looks really nice. I have oauth with twitter working in ruby right now. Now I'm wondering, what is the recommended safe way to store the responses in my local database and session? What should I store? Where should I store it? This example twitter-oauth-with-rails app stores a user.id in the session, and the user table has the token and secret. But that seems like it'd be really easy to hack and get the secret by just passing in a slew of test user ids, no?

    Read the article

  • Should I convert overlong UTF-8 strings to their shortest normal form?

    - by Grant McLean
    I've just been reworking my Encoding::FixLatin Perl module to handle overlong UTF-8 byte sequences and convert them to the shortest normal form. My question is quite simply "is this a bad idea"? A number of sources (including this RFC) suggest that any over-long UTF-8 should be treated as an error and rejected. They caution against "naive implementations" and leave me with the impression that these things are inherently unsafe. Since the whole purpose of my module is to clean up messy data files with mixed encodings and convert them to nice clean utf8, this seems like just one more thing I can clean up so the application layer doesn't have to deal with it. My code does not concern itself with any semantic meaning the resulting characters might have, it simply converts them into a normalised form. Am I missing something. Is there a hidden danger I haven't considered?

    Read the article

  • How can I sign a Windows Mobile application for internal use?

    - by AR
    I'm developing a Windows Mobile application for internal company use, using the Windows Mobile 6 Professional SDK. Same old story: I've developed and tested on the emulator and all is well, but as soon as I deploy to advice I get an UnauthorizedAccessException when writing files or creating directories. I'm aware that an application installed to a device needs to be signed but I'm running into roadblocks at every turn: Using the project properties 'Devices' window I select 'Sign the project output with this certificate, and choose one of the sample certificates from the SDK. This results in a build error: "The signer's certificate is not valid for signing" when running SignTool. If I try to run SignTool.exe from the commandline, I get an error telling me to run SignTool.exe from a location in the system's PATH. I can't use the 'Signing' tab in the Project Properties to create a test certificate - this is greyed out (presumably for WinMobile projects?). If at all possible, I would like to avoid having to go through Versign or the like to get a Mobile2Market certificate. If I have to go this route for a final version that's fine, but I need to at least be able to test the app on real devices. Any advice would be most welcome!

    Read the article

  • SQL Injection When Using MySQLi Prepared Statements

    - by Sev
    If all that is used to do any and all database queries is MySQLi prepared statements with bound parameters in a web-app, is sql injection still possible? Notes I know that there are other forms of attack other than sql-injection, but my question is specific to sql-injection attacks on that particular web application only.

    Read the article

  • What's the best, Escape then store Or store then escape the output?

    - by Axel
    Hi, After doing a long search on stackoverflow i didn't find any one talked about this even if it's a big choice, the Question is what's the best in order to prevent both of XSS and SQL injection, Escaping the data then store it in the DB or Store it as it is and escape when output it? Note: it is better if you give some examples of practics if possible. Thanks

    Read the article

  • Too much data for RSA block fail. What is PKCS#7?

    - by Tom Brito
    Talking about javax.crypto.Cipher; I was trying to encrypt data using Cipher.getInstance("RSA/None/NoPadding", "BC"); but I got the exception: ArrayIndexOutOfBoundsException: too much data for RSA block Looks like is something related to the "NoPadding", so, reading about padding, looks like CBC is the best approach to use here. I found at google something about "RSA/CBC/PKCS#7", what is this "PKCS#7"? And why its not listed on sun's standard algorithm names?

    Read the article

  • mysqli_stmt_bind_param SQL Injection

    - by profitphp
    Is there still an injection risk when using prepared statements and mysqli_stmt_bind_param? For example: $malicious_input = 'bob"; drop table users'; mysqli_stmt_bind_param($stmt, 's', $malicious_input); Behind the scenes does mysqli_stmt_bind_param pass this query string to mysql: SET @username = "bob"; drop table users"; Or does it perform the SET command through the API, or use some type of protection to keep this from happening?

    Read the article

  • Self-signed ceritificates for many users/browsers/sites

    - by Demiurg
    Here is my problem - I have a lot of users using different browsers accessing many internal web sites using https. I can create my own Certificate Authority, than create a certificate for each server and after that have all the users import it. Obviously, it cannot work in reality - there are too many users and too many sites, and some sites will be added in the future. I'm looking for a way to automate this. Is there a way to create a certificate so that all major browsers (IE, FF, Opera, Chrome and Safari) would trust it for all servers ? If so, what is the best way to install it automatically in all major browsers ?

    Read the article

  • Prevent strings stored in memory from being read by other programs

    - by Roy
    Some programs like ProcessExplorer are able to read strings in memory (for example, my error message written in the code could be displayed easily, even though it is compiled already). Imagine if I have a password string "123456" allocated sequentially in memory. What if hackers are able to get hold of the password typed by the user? Is there anyway to prevent strings from being seen so clearly? Oh yes, also, if I hash the password and sent it from client to server to compare the stored database hash value, won't the hacker be able to store the same hash and replay it to gain access to the user account? Is there anyway to prevent replaying? Thank You!

    Read the article

  • Should I Use Anchor, Button Or Form Submit For "Follow" Feature In Rails

    - by James
    I am developing an application in Rails 3 using a nosql database. I am trying to add a "Follow" feature similar to twitter or github. In terms of markup, I have determined that there are three ways to do this. 1) Use a regular anchor. (Github Uses This Method) <a href="/users/follow?target=Joe">Follow</a> 2) Use a button. (Twitter Uses This Method) <button href="/friendships/create/">Follow</button> 3) Use a form with a submit button. (Has some advantages for me, but I haven't see anyone do it yet.) <form method="post" id="connection_new" class="connection_new" action="/users/follow"> <input type="hidden" value="60d7b563355243796dd8496e17d36329" name="target" id="target"> <input type="submit" value="Follow" name="commit" id="connection_submit"> </form> Since I want to store the user_id in the database and not the username, options 1 and 2 will force me to do a database query to get the actual user_id, whereas option 3 will allow me to store the user_id in a hidden form field so that I don't have to do any database lookups. I can just get the id from the params hash on form submission. I have successfully got each of these methods working, but I would like to know what is the best way to do this. Which way is more semantic, secure, better for spiders, etc...? Is there a reason both twitter and github don't use forms to do this? Any guidance would be appreciated. I am leaning towards using the form method since then I don't have to query the db to get the id of the user, but I am worried that there must be a reason the big guys are just using anchors or buttons for this. I am a newb so go easy on me if I am totally missing something. Thanks!

    Read the article

  • Restrict access to a specific URL, running on IIS7 / ASP.NET

    - by frankadelic
    I am deploying a public ASP.NET website on an IIS7 web farm. The application runs on 3 web servers and is behind a firewall. We want to create a single page on the website that is accessible only to internal users. It is primarily used for diagnostics, trigger cache expiry, etc. /admin/somepage.aspx What is the best way to control access to this page? We need to: Prevent all external (public) users from accessing the URL. Permit specific internal users to access the page, only from certain IPs or networks. Should this access control be done at the (a) network level, (b) application level, etc.?

    Read the article

  • Java - store sensitive data

    - by Mike
    Hello. I develop application with Java. I need to store some initial configuration data in some kind of file. I want my app to be able to read this data, but I don't want user to do so. Example : application loads IP from encrypted file. User sees like "dsda@#21da@" so he won't bother doing anything :) How should I do such a thing? Thanx!

    Read the article

  • Is it safe to read regular expressions from a file?

    - by Zilk
    Assuming a Perl script that allows users to specify several text filter expressions in a config file, is there a safe way to let them enter regular expressions as well, without the possibility of unintended side effects or code execution? Without actually parsing the regexes and checking them for problematic constructs, that is. There won't be any substitution, only matching. As an aside, is there a way to test if the specified regex is valid before actually using it? I'd like to issue warnings if something like /foo (bar/ was entered. Thanks, Z. EDIT: Thanks for the very interesting answers. I've since found out that the following dangerous constructs will only be evaluated in regexes if the use re 'eval' pragma is used: (?{code}) (??{code}) ${code} @{code} The default is no re 'eval'; so unless I'm missing something, it should be safe to read regular expressions from a file, with the only check being the eval/catch posted by Axeman. At least I haven't been able to hide anything evil in them in my tests. Thanks again. Z.

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 168 169 170 171 172 173 174 175 176 177 178 179  | Next Page >